- Newest
- Most votes
- Most comments
I would doublecheck the security group config - If you have added an s3 gateway endpoint the most common misconfiguration I see is forgetting to allow outbound to the s3 prefix list for the region within the security group. See here - "Security group outbound rules" section. If you have used an s3 interface endpoint you need to allow outbound to the interface endpoint itself
Are you sure you have 1) deployed lambda into your PRIVATE subnets AND 2) there is route from private subnet to internet via NAT GW in public subnet(s). Even if you have a route to S3 via endpoint, I think you still need internet access as well for lambda to work properly (or maybe you can provide this with additional interface endpoints(?). You can also test sample VPC setups from https://docs.aws.amazon.com/lambda/latest/dg/configuration-vpc.html
Security Groups (SG)
- The SG that the Lambda is in has to have Outbound access to the SG containing the VPC Endpoint (VPCE) - outbound is usually ALL for a SG
- The SG that VPCE is in has to have Inbound permission from the SF containing the Lambda
The above applies even if the Lambda and VPCE are in the same SG -- that is you need an inbound rule from the SG to itself.
Routing
- By Default you should have a local route in all your route tables. If you changed this, then that could be an issue
Relevant content
- asked 6 days ago
- asked 5 years ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
